Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking Android and iOS devices from visiting porn sites

    Scheduled Pinned Locked Moved Cache/Proxy
    11 Posts 5 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      almabes
      last edited by

      I haven't found this problem or solution anywhere else on the forum, so I thought I might share.

      This past week I was tasked by a customer with setting up porn blocking on the customer's network.  I had just recently installed a RCC-VE 2440 device with the latest pfSense.  It seemed like a fairly easy, straightforward request…Set up squid 3 as a transparent proxy, set up Squidguard, import shallaslist and set up blocks.

      It works great on all the windows machines in the building, however I was still able to visit various tube sites when I checked from my phone.  I wracked my brain for a couple of days until I finally figured it out...

      Chrome on android and iOS have a "data saver" feature.  Google, with their near infinite computing power (and wishes to mine infinite amounts of data) have set up compression proxies.  These proxy servers will save bytes on your data plan in return for google knowing everywhere you go on the internet.  They also completely bypass my squidguard rules.

      The solution I found was to create a Target Category and list:

      googlezip.net in the domains box.

      I set the redirect mode to "int blank page".

      I added the targeted category to my common ACL and set it to deny.  Saved and applied the config.

      No more porn on phones.

      YMMV

      1 Reply Last reply Reply Quote 0
      • A
        aGeekhere
        last edited by

        @almabes:

        Set up squid 3 as a transparent proxy, set up Squidguard, import shallaslist and set up blocks.

        This is all I needed to do to get it working (just checked my android tablet and sites are getting blocked) I did not need to set up a Target Category.

        Have you setup squid to block https sites yet?

        Never Fear, A Geek is Here!

        1 Reply Last reply Reply Quote 0
        • A
          almabes
          last edited by

          I have not.

          At this point I see too much risk implementing an https proxy at the customer's site.  They're a motorcycle dealership, and have https LOB websites that if I break or make act squirrely they can't sell bikes.

          I haven't had a chance to experiment with https filtering on my 3 lab rats (aged 18, 19, and 21), yet either.

          Are you using data saver on your tablet? 
          Did you enable the block URLs with IPs option?  I have it turned off.  They have a few sites that they access which act goofy with it on.

          1 Reply Last reply Reply Quote 0
          • A
            aGeekhere
            last edited by

            Are you using data saver on your tablet?

            No

            Did you enable the block URLs with IPs option?

            No

            Never Fear, A Geek is Here!

            1 Reply Last reply Reply Quote 0
            • A
              almabes
              last edited by

              Ok…hmmm...
              My phone is a KitKat device, running chrome.  I haven't tried it from my Asus tablet yet.

              The source of my info for blocking access to googlezip.net is
              https://support.google.com/chrome/answer/3517349?hl=en

              I'm still curious why my networks/devices have to have the googlezip.net domain blocked and yours do not.

              1 Reply Last reply Reply Quote 0
              • A
                andrei.bnu
                last edited by

                @almabes:

                I haven't found this problem or solution anywhere else on the forum, so I thought I might share.

                This past week I was tasked by a customer with setting up porn blocking on the customer's network.  I had just recently installed a RCC-VE 2440 device with the latest pfSense.  It seemed like a fairly easy, straightforward request…Set up squid 3 as a transparent proxy, set up Squidguard, import shallaslist and set up blocks.

                It works great on all the windows machines in the building, however I was still able to visit various tube sites when I checked from my phone.  I wracked my brain for a couple of days until I finally figured it out...

                Chrome on android and iOS have a "data saver" feature.  Google, with their near infinite computing power (and wishes to mine infinite amounts of data) have set up compression proxies.  These proxy servers will save bytes on your data plan in return for google knowing everywhere you go on the internet.  They also completely bypass my squidguard rules.

                The solution I found was to create a Target Category and list:

                googlezip.net in the domains box.

                I set the redirect mode to "int blank page".

                I added the targeted category to my common ACL and set it to deny.  Saved and applied the config.

                No more porn on phones.

                YMMV

                Thx man.

                You save my life.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  They also completely bypass my squidguard rules.

                  If you have it configured correctly, this is impossible unless they're using their cellular data plan.  Android devices do not support WPAD for proxy auto-discovery, so unless you have blocked LAN ports 80/443 then Android will just go direct.

                  1 Reply Last reply Reply Quote 0
                  • M
                    Moscu
                    last edited by

                    @KOM:

                    They also completely bypass my squidguard rules.

                    If you have it configured correctly, this is impossible unless they're using their cellular data plan.  Android devices do not support WPAD for proxy auto-discovery, so unless you have blocked LAN ports 80/443 then Android will just go direct.

                    I think this is because he setup a transparent proxy so HTTPS bypasses the proxy entirely not because the lacking WPAD support. Transparent redirects 80 to proxy port by default.

                    Also just to mention it, you can configure the proxy autoconfiguration URL manually now on Android 4+. WPAD is still missing wich is a shame.

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      Yeah I saw that earlier but I figured he must have changed it or he would be facing much larger problems in regard to Android and HTTPS with a transparent proxy.

                      1 Reply Last reply Reply Quote 0
                      • M
                        Moscu
                        last edited by

                        I think paying for a OpenDNS subscription (like $20/year) could be considered in this situation. No need to worry in HTTP o HTTPS or configuring clients if you're using DHCP. The only thing you must do is block DNS queries to other servers in the firewall.

                        The main problem with OpenDNS is that you can't segregate between blocked and non blocked clients so to acomplish this you need to setup a local DNS server and the corresponding dhcp reservations and firewall rules.

                        1 Reply Last reply Reply Quote 0
                        • KOMK
                          KOM
                          last edited by

                          The main problem with OpenDNS is that you can't segregate between blocked and non blocked clients

                          You can in a way via firewall rules.  Non-blocked clients can get direct access out via port 53 to whatever DNS they choose.  Blocked clients will have their DNS requests captured and handled by pfSense.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.